Full Report
Plus more blasts from the past: NetWare, FTP, and HTTP
Analysis Summary
# Vulnerability: "Squidbleed" Memory Leak in Squid Proxy
## CVE Details
- **CVE ID:** CVE-2026-47729
- **CVSS Score:** Not explicitly listed, but estimated High (Likely 7.5 - 8.1 range)
- **CWE:** CWE-126: Buffer Over-read (Heap Over-read)
## Affected Systems
- **Products:** Squid Caching Proxy Server
- **Versions:** Every version of Squid released between 1997 and June 2026 (prior to v7.6).
- **Configurations:**
- Default configurations are vulnerable.
- Specifically affects setups handling cleartext HTTP traffic or TLS-terminating (HTTPS inspection) setups.
- Requires the proxy to be able to outbound to an attacker-controlled FTP server on TCP port 21.
## Vulnerability Description
The flaw originates from a 1997 code commit (bb97dd37a) intended to support legacy NetWare FTP servers. The code contains a `while` loop designed to skip whitespace in FTP directory listings: `while (strchr(w_space, *copyFrom)) ++copyFrom;`.
If an attacker-controlled FTP server sends a directory listing that omits the filename after the modification timestamp, the `copyFrom` pointer lands on the terminating NUL character. Because `strchr` treats the NUL character as part of the string, the loop fails to terminate properly and "walks" past the end of the buffer. The `xstrdup` function then copies subsequent heap memory—which often contains plaintext HTTP requests, credentials, and session tokens—and returns it to the attacker as a "filename" in the directory listing.
## Exploitation
- **Status:** PoC available; Discovery credited to Lam Jun Rong (Calif.io) and Mythos Preview.
- **Complexity:** Low
- **Attack Vector:** Network (Attacker triggers the proxy to request a directory listing from a malicious FTP server).
## Impact
- **Confidentiality:** High (Leakage of plaintext HTTP requests, passwords, API keys, and session tokens).
- **Integrity:** None
- **Availability:** None (Primarily an information disclosure/memory leak bug).
## Remediation
### Patches
- **Squid v7.6:** Released June 8, 2026. This version includes the fix (commit 865a131c7d557e68c965043d98c2eccae26deef8) which adds a check for the null terminator before the `strchr` call.
### Workarounds
- **Disable FTP:** Organizations should disable FTP support within Squid configuration unless there is a specific, documented business need. Modern browsers no longer support the protocol, making this attack surface unnecessary for most users.
## Detection
- **Indicators of compromise:** Unusual outbound FTP connections from the Squid proxy to unknown or untrusted external IP addresses.
- **Detection methods and tools:** Audit Squid logs for requests to FTP sites. Use network monitoring to detect anomalies in FTP directory listing traffic (specifically, listings missing filenames).
## References
- **Vendor Advisory:** hxxps[://]github[.]com/squid-cache/squid/releases
- **Researcher Blog:** hxxps[://]blog[.]calif[.]io/p/squidbleed-cve-2026-47729
- **Proof of Concept:** hxxps[://]github[.]com/califio/publications/tree/main/MADBugs/squidbleed
- **Patch Commit:** hxxps[://]github[.]com/squid-cache/squid/commit/865a131c7d557e68c965043d98c2eccae26deef8